Skip to content

Instantly share code, notes, and snippets.

@dwilliams782

dwilliams782/linkerd-webhook-cert-bundle.yaml

Last active January 5, 2024 14:17
Show Gist options
  • Save dwilliams782/a5835772e018da4f7304df657229a87b to your computer and use it in GitHub Desktop.
Save dwilliams782/a5835772e018da4f7304df657229a87b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
linkerd-webhook-cert-bundle.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-self-signed-webhook-issuer
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-webhook-issuer-ca
namespace: cert-manager
spec:
isCA: true
duration: 87660h # 10 years
renewBefore: 360h # 15 days
commonName: webhook.linkerd.cluster.local
secretName: linkerd-webhook-issuer-tls
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: linkerd-self-signed-webhook-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-webhook-issuer
namespace: cert-manager
spec:
ca:
secretName: linkerd-webhook-issuer-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-policy-validator
namespace: linkerd
spec:
secretName: linkerd-policy-validator-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-policy-validator.linkerd.svc
dnsNames:
- linkerd-policy-validator.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
encoding: PKCS8
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-proxy-injector
namespace: linkerd
spec:
secretName: linkerd-proxy-injector-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-proxy-injector.linkerd.svc
dnsNames:
- linkerd-proxy-injector.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-sp-validator
namespace: linkerd
spec:
secretName: linkerd-sp-validator-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-sp-validator.linkerd.svc
dnsNames:
- linkerd-sp-validator.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
# ignore if not using the viz extension
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tap
namespace: linkerd-viz
spec:
secretName: tap-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: tap.linkerd-viz.svc
dnsNames:
- tap.linkerd-viz.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
# ignore if not using the viz extension
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-tap-injector
namespace: linkerd-viz
spec:
secretName: tap-injector-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: tap-injector.linkerd-viz.svc
dnsNames:
- tap-injector.linkerd-viz.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
#---
# we do not currently use the jaeger extension
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: jaeger-injector
# namespace: linkerd-jaeger
#spec:
# secretName: jaeger-injector-k8s-tls
# duration: 24h
# renewBefore: 1h
# issuerRef:
# name: linkerd-webhook-issuer
# kind: ClusterIssuer
# commonName: jaeger-injector.linkerd-jaeger.svc
# dnsNames:
# - jaeger-injector.linkerd-jaeger.svc
# isCA: false
# privateKey:
# algorithm: ECDSA
# usages:
# - server auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment